CN112565299A - Content-based optimization and pre-fetch mechanism for security analysis of network devices - Google Patents

Content-based optimization and pre-fetch mechanism for security analysis of network devices Download PDF

Info

Publication number
CN112565299A
CN112565299A CN202011562406.0A CN202011562406A CN112565299A CN 112565299 A CN112565299 A CN 112565299A CN 202011562406 A CN202011562406 A CN 202011562406A CN 112565299 A CN112565299 A CN 112565299A
Authority
CN
China
Prior art keywords
content
classification
value
network device
lookup
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011562406.0A
Other languages
Chinese (zh)
Other versions
CN112565299B (en
Inventor
V·R·R·曼塞纳
C·纳加拉加
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Juniper Networks Inc
Original Assignee
Juniper Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Juniper Networks Inc filed Critical Juniper Networks Inc
Priority to CN202011562406.0A priority Critical patent/CN112565299B/en
Publication of CN112565299A publication Critical patent/CN112565299A/en
Application granted granted Critical
Publication of CN112565299B publication Critical patent/CN112565299B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/258Data format conversion from or to a database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9017Indexing; Data structures therefor; Storage structures using directory or table look-up
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • H04L67/5681Pre-fetching or pre-delivering data based on network characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/957Browsing optimisation, e.g. caching or content distillation
    • G06F16/9574Browsing optimisation, e.g. caching or content distillation of access to content, e.g. by caching

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Bioethics (AREA)
  • Power Engineering (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Embodiments of the present disclosure relate to content-based optimization and pre-fetching mechanisms for security analysis of network devices. A method includes determining, by a first device, a first value of a first portion of content; performing, by the first device, a first lookup of the first value to identify a classification of the content; determining, by the first device, that the first lookup fails to identify a classification result; determining, by the first device, a second value for a second portion of the content based on determining that the first lookup fails to identify the classification result, the second portion of the content being greater than the first portion of the content; performing, by the first device, a second lookup of the second value to identify a classification of the content; selectively: determining, by the first device, a classification of the content by providing a second value or a second portion of the content to the second device based on the second lookup not indicating a match; or determining, by the first device, a classification of the content based on the second lookup indication match; and performing, by the first device, one or more actions with respect to the content based on the classification of the content.

Description

Content-based optimization and pre-fetch mechanism for security analysis of network devices
RELATED APPLICATIONS
The application is a divisional application of an invention patent application with the application number of 201711129036.X, the application date of 2017, 11 and 5 months, and the invention name of a content-based optimization and pre-acquisition mechanism for security analysis of network equipment.
Technical Field
The present invention relates to a content-based optimization and pre-fetching mechanism for security analysis of network devices.
Background
Malware (i.e., malicious software) may refer to any software used to interrupt the operation of a computer or mobile device. This may include collecting sensitive information, gaining access to private computer systems, and/or displaying unwanted advertisements. Malware may include viruses, worms, trojan horses, adware, spyware, keyloggers, phishing, and the like.
Disclosure of Invention
According to some possible implementations, a first device may include one or more processors to receive content from a second device based on a request for the content. The request may come from a third device. The one or more processors may determine a value of a portion of the content using a hash function based on receiving the content from the second device. The value may specifically identify the portion of the content. The one or more processors may determine, based on determining the value of the portion of the content, whether the classification of the content can be determined by performing a lookup of the value in a data store. The classification is associated with an action to be performed by the first device with respect to the content. The one or more processors may selectively determine the classification of the content by providing the value or a portion of the content corresponding to the value to the fourth device to allow the fourth device to determine the classification of the content based on determining that the classification of the content cannot be determined by performing a lookup, or may determine the classification of the content based on determining that the classification of the content can be determined by performing a lookup. The one or more processors may perform an action with respect to the content based on the classification of the content after determining the classification.
According to some possible implementations, a non-transitory computer-readable medium may store one or more instructions that, when executed by one or more processors, cause the one or more processors to receive content from one or more server devices based on one or more requests for content. The one or more requests may come from one or more client devices. The one or more requests may include information associated with at least one of one or more client devices, one or more server devices, or content being requested. The one or more instructions, when executed by the one or more processors, may cause the one or more processors to determine one or more values for one or more portions of the content based on receiving the content from the one or more server devices, wherein the one or more values are to be used to identify one or more classifications of the content. The one or more instructions, when executed by the one or more processors, may cause the one or more processors to determine whether one or more classifications of content can be determined based on one or more values of one or more portions of the content. The one or more classifications may indicate whether the content is potentially harmful to the one or more client devices. The one or more instructions, when executed by the one or more processors, may cause the one or more processors to selectively determine one or more classifications of the content when the one or more classifications of the content can be determined based on one or more values of one or more portions of the content, or determine the one or more classifications of the content by providing the one or more values or the one or more portions of the content corresponding to the one or more values to one or more security analytics devices when the one or more classifications of the content cannot be determined based on the one or more values of the one or more portions of the content. The one or more instructions, when executed by the one or more processors, may cause the one or more processors to, after determining the one or more classifications, cause the one or more processors to perform one or more actions based on the one or more classifications of the content.
According to some possible implementations, a method may include receiving, by a first device, content from a plurality of second devices based on a plurality of requests for content. The first device may be located between a plurality of second devices and a plurality of third devices providing a plurality of requests. The method may include determining, by the first device, a plurality of values for a plurality of portions of the content using a function based on receiving the content from the plurality of second devices, wherein the plurality of values are to be used to analyze the content. The plurality of values may exclusively identify the plurality of portions of the content. The method may include determining, by the first device, whether a plurality of classifications of content can be determined based on a plurality of values of a plurality of portions of content. The method may include selectively determining, by the first device, the plurality of classifications of content by providing the plurality of values or the plurality of portions of content corresponding to the plurality of values to the one or more fourth devices when the plurality of classifications of content cannot be determined, or using, by the first device, the data store to determine the plurality of classifications of content when the plurality of classifications of content can be determined. The method may include performing, by the first device, a plurality of actions with respect to the content based on the plurality of classifications of the content after determining the plurality of classifications.
Drawings
FIGS. 1A and 1B are overview diagrams of example implementations described herein;
FIG. 2 is a diagram of an example environment in which systems and/or methods described herein may be implemented;
FIG. 3 is a diagram of example components of one or more of the devices of FIG. 2;
FIG. 4 is a flow diagram of an example process for optimizing security analysis on a network device;
FIGS. 5A and 5B are diagrams of an example implementation related to the example process shown in FIG. 4;
FIG. 6 is a diagram of an example implementation associated with the example process shown in FIG. 4;
FIG. 7 is a diagram of an example implementation associated with the example process shown in FIG. 4;
FIG. 8 is a diagram of an example implementation associated with the example process shown in FIG. 4; and
FIG. 9 is a diagram of an example implementation related to the example process shown in FIG. 4.
Detailed Description
The following detailed description of example implementations refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements.
As the threat from harmful content increases, network devices performing security functions must process more and more content to determine if the content is harmful. This may result in a delay with respect to providing the content to the destination. In addition, a network device may have to provide content to another device for processing, consuming significant network resources (e.g., bandwidth) and degrading network performance.
Implementations described herein enable a network device to determine a classification of content associated with performing a security function by determining a value (e.g., digest) of the content and using the value to determine the classification. Further, implementations described herein can optimize the use of multiple values for various sized portions of content to reduce the number of values determined for the content. In this manner, the network device reduces the amount of content that needs to be processed by the network device to determine the classification of the content, thereby saving processing resources and reducing latency. Further, in this manner, the network device reduces the amount of information that may have to be sent to the security analysis device for processing (e.g., when the network device fails to determine the classification of the content), thereby conserving network resources and improving network performance. Further, in this manner, these implementations optimize network resources related to providing content to external security analysis devices when values of full or partial content have been previously categorized. Further, in this manner, implementations provide mechanisms to prevent security breaches based on, for example, hypertext transfer protocol (HTTP) content-scoped header techniques.
Fig. 1A and 1B are overview diagrams of an example implementation 100 described herein. As shown in fig. 1A and 1B, example implementation 100 may include a client device obtaining content from a server device via a network device. The network device may provide information associated with the content to the security analysis device for analysis of the information. Some implementations may include services (e.g., public or private services) provided by the device that may perform analysis of content or values of content, and provide classification of content (e.g., rather than security analysis devices). The network device may calculate a value (e.g., a digest) based on the content, and may determine a classification of the content based on the value. In some implementations, the network device may determine the classification of the content based on processing the content, and/or based on information from a security analysis device determined via processing of the content that the security analysis device is performing in real-time or that the security analysis device has previously performed.
As shown in fig. 1A, and by reference numeral 110, a network device may receive a request for content from a client device and may provide the request to a server device. In this case, the network device may apply rules regarding the request based on the information contained in the request. For example, the network device may block the request, such as based on information included in the request identifying the source of the request, the destination of the request, the requested content, and so forth, or may allow the request to be sent to the server device.
As indicated by reference numeral 120, the network device may receive content from the server device. For example, a server device may process a request and may provide requested content to a network device.
As indicated by reference numeral 130, the network device may calculate a value for a portion of the content. For example, the network device may use a hash function to calculate the value of the content. Continuing with the previous example, the network device may calculate a value for a one Kilobyte (KB) portion, a 10KB portion, a 100KB portion, a 1 Megabyte (MB) portion of the content, and so on.
The network device may determine a plurality of values for the content. For example, the network device may determine the value of one KB portion, and may attempt to determine the classification of the content using one KB portion (as described below) before determining the value of the 10KB portion. Continuing with the previous example, if the network device successfully determines the classification of the content based on the value determined for one KB portion, the network device may refrain from determining the value of the 10KB portion. This saves processing resources of the network device by reducing the number of values that the network device must determine when identifying the classification of the content, and optimizes the security analysis via using values for smaller portions of the content.
As indicated by reference numeral 140, the network device may perform a lookup of values to identify a classification of the content (e.g., phishing, advertising software, etc.). For example, the network device may perform the lookup using a data store of the network device or another network device. In some implementations, the data store may be located on the network device, or closer to the network device relative to other devices, thereby reducing delays associated with retrieving information from the data store and increasing efficiency associated with retrieving information from the data store. If the network device successfully identifies the classification of the content, the network device may perform an action related to the content, as described in more detail below. Conversely, if the network device is unable to successfully identify the classification of the content, the network device may determine to provide a value to the security analysis device (e.g., cause the security analysis device to attempt to determine the classification of the content based on the value).
As shown in fig. 1B, and by reference numeral 150, the network device may provide a corresponding portion of the value or content to the security analysis device to allow the security analysis device to process a portion of the value and/or content. For example, the network device may provide a value or a portion of the content based on the classification being unable to be identified using the data store.
The network device may first provide the value to the security analysis device, for example when providing the value consumes less network resources relative to providing a portion of the content. If the security analysis device cannot identify the classification of the content using the value, the network device may provide a portion of the content after providing the value. This saves network resources by reducing the amount of information (e.g., content or values determined for content) provided to the security analysis device.
In some cases, if the security analysis device uses a portion of the content without successfully identifying the classification, the network device may determine another value for another portion of the content. In other words, the example implementation 100 may include a return to reference numeral 130. For example, the network device may determine a value for a portion that is larger than a portion associated with a previously determined value. Continuing with the previous example, when the originally determined value is for one KB portion, the network device may determine a value for the 10KB portion. In this way, the network device optimizes determining the classification of the content by using the values of increasingly larger portions of the content to determine the classification of the content.
This saves network resources by reducing the amount of information provided to the security analysis device. In addition, this saves processing resources of the network device and the security analysis device by reducing the amount of information provided by the network device, received by the security analysis device, and/or processed by the security analysis device. For example, the network device may not have to provide the information and/or content to the security analysis device, such as when the information and/or content has been previously provided to the security analysis device, when the classification may be determined based on a portion of the content (e.g., to preclude the need to provide the entire content), and/or the like. This further saves network resources such as network bandwidth and/or allows the network device to wait before providing information and/or content to the security analysis device, thereby saving processing resources of the network device.
The security analysis device may process the received values and/or corresponding portions of the content to determine the classification. For example, the security analysis device may perform a lookup of a value or portion of the content, examine a portion of the content, and so on.
As indicated by reference numeral 160, the network device may receive information identifying a content classification from the security analysis device. For example, the network device may receive information from the security analysis device identifying the content as malware, adware, spyware, merchandise, allowed content, and/or the like. Additionally or alternatively, the network device may receive a set of instructions from the security analysis device to perform additional security services, e.g., according to a classification of content such as an intrusion prevention service, to perform additional authentication, to implement a passcode, etc.
As indicated by reference numeral 170, the network device may perform an action based on the classification of the content. For example, if the content is classified as malware, the network device may discard the content and may not provide the content to the client device. As another example, the network device may allow the content if the content is not classified as malware, is classified as a particular type of allowed content, or the like.
As indicated by reference numeral 180, the network device may provide content to the client device based on the classification of the content. For example, the network device may provide content based on content that is not classified as malware. As another example, the network device may provide the content based on the content classified as allowable content.
In this manner, the network device reduces the amount of information (e.g., content or values determined for content) to be processed by the network device to determine the classification of the content, thereby saving processing resources and reducing latency. Furthermore, in this manner, the network device reduces the amount of information that may have to be provided to the security analysis device for processing, thereby saving network resources and improving network performance.
As described above, fig. 1A and 1B are provided as examples only. Other examples are possible and may differ from what is described with respect to fig. 1A and 1B.
FIG. 2 is a diagram of an example environment 200 in which systems and/or methods described herein may be implemented. As shown in fig. 2, environment 200 may include a client device 210, a network device 220, a security analysis device 230, a server device 240, and a network 250. The devices of environment 200 may be interconnected via a wired connection, a wireless connection, or a combination of wired and wireless connections.
Client device 210 includes one or more devices capable of receiving, generating, storing, processing, and/or providing information associated with a request for content. For example, the client device 210 may include a desktop computer, a mobile phone (e.g., a smart phone or a wireless phone), a laptop computer, a tablet computer, a gaming device, a wearable communication device (e.g., a smart watch or a pair of smart glasses), or similar types of devices. In some implementations, the client device 210 may provide a request for content to the server device 240 via the network device 220, as described elsewhere herein. Additionally or alternatively, the client device 210 may receive the requested content from the server device 240 via the network device 220, as described elsewhere herein.
Network device 220 includes one or more devices (e.g., one or more traffic delivery devices) capable of receiving, generating, storing, processing, and/or providing traffic between client device 210 and/or server device 240. For example, network device 220 may include a firewall, router, gateway, switch, hub, bridge, reverse proxy, server (e.g., proxy), security device, intrusion detection device, load balancer, or similar type of device. In some implementations, the network device 220 may receive content requested by the client device 210, as described elsewhere herein. Additionally or alternatively, the network device 220 may process the content to identify a classification of the content, as described elsewhere herein. In some implementations, the network device 220 may act as a gateway to a private network that includes one or more client devices 210. In some implementations, the plurality of network devices 220 may operate together as a gateway to a private network that includes one or more client devices 210.
Security analysis device 230 includes one or more devices capable of receiving, generating, storing, processing, and/or providing information associated with a request for content. For example, security analysis device 230 may include an analysis engine, a security device, an intrusion detection device, a firewall, a router, a gateway, a switch, a hub, a bridge, a reverse proxy, a server (e.g., a proxy server), a load balancer, or similar type of device. In some implementations, the security analysis device 230 may receive content (e.g., requested by the client device 210) and/or information related to the requested content, as described elsewhere herein. Additionally or alternatively, security analysis device 230 may identify a classification of content, as described elsewhere herein.
Server device 240 includes one or more devices capable of receiving, generating, storing, processing, and/or providing information associated with a request for content. For example, the server device 240 may include a server (e.g., a web server, a server in a multi-server data center, etc.), a workstation computer, a Virtual Machine (VM) provided in a cloud computing environment, or similar type of device. In some implementations, server device 240 may receive a request for content stored by server device 240, as described elsewhere herein. Additionally or alternatively, server device 240 may provide the requested content based on receiving the request, as described elsewhere herein.
Network 250 includes one or more wired and/or wireless networks. For example, network 250 may include a cellular network (e.g., a Long Term Evolution (LTE) network, a Code Division Multiple Access (CDMA) network, a 3G network, a 4G network, a 5G network, or another type of cellular network), a Public Land Mobile Network (PLMN), a Local Area Network (LAN), a Wide Area Network (WAN), a Metropolitan Area Network (MAN), a telephone network (e.g., the Public Switched Telephone Network (PSTN)), a private network, an ad hoc network, an intranet, the internet, a fiber-based network, a cloud computing network, etc., and/or a combination of these or other types of networks.
The number and arrangement of devices and networks shown in fig. 2 are provided as examples. In fact, there may be additional devices and/or networks, fewer devices and/or networks, different devices and/or networks, or a different arrangement of devices and/or networks than those shown in fig. 2. Further, more than two devices shown in FIG. 2 may be implemented within a single device, or a single device shown in FIG. 2 may be implemented as multiple distributed devices. Additionally or alternatively, a set of devices (e.g., one or more devices) of environment 200 may perform one or more functions described as being performed by another set of devices of environment 200.
Fig. 3 is a diagram of example components of a device 300. Device 300 may correspond to client device 210, network device 220, security analysis device 230, and/or server device 240. In some implementations, client device 210, network device 220, security analysis device 230, and/or server device 240 may include one or more devices 300 and/or one or more components of device 300. As shown in fig. 3, device 300 may include a bus 310, a processor 320, a memory 330, a storage component 340, an input component 350, an output component 360, and a communication interface 370.
Bus 310 includes components that allow communication among the components of device 300. Processor 320 is implemented in hardware, firmware, or a combination of hardware and software. Processor 320 includes a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), an Accelerated Processing Unit (APU), a microprocessor, a microcontroller, a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), or another type of processing component. In some implementations, processor 320 includes one or more processors that can be programmed to perform functions. Memory 330 includes a Random Access Memory (RAM), a Read Only Memory (ROM), and/or another type of dynamic or static storage device (e.g., flash memory, magnetic memory, and/or optical memory) that stores information and/or instructions for use by processor 320.
The storage component 340 stores information and/or software related to the operation and use of the device 300. For example, storage component 340 may include a hard disk (e.g., a magnetic disk, an optical disk, a magneto-optical disk, and/or a solid state disk), a Compact Disc (CD), a Digital Versatile Disc (DVD), a floppy disk, a cassette, a magnetic tape, and/or another type of non-transitory computer-readable medium, and a corresponding drive.
Input components 350 include components that allow device 300 to receive information, such as via user input (e.g., a touch screen display, a keyboard, a keypad, a mouse, buttons, switches, and/or a microphone). Additionally or alternatively, input component 350 may include sensors for sensing information (e.g., a Global Positioning System (GPS) component, an accelerometer, a gyroscope, and/or an actuator). Output components 360 include components that provide output information from device 300, such as a display, a speaker, and/or one or more Light Emitting Diodes (LEDs).
Communication interface 370 includes transceiver-like components (e.g., a transceiver and/or separate receivers and transmitters) that enable device 300 to communicate with other devices, such as via wired connections, wireless connections, or a combination of wired and wireless connections. Communication interface 370 may allow device 300 to receive information from and/or provide information to another device. For example, communication interface 370 may include an ethernet interface, an optical interface, a coaxial interface, an infrared interface, a Radio Frequency (RF) interface, a Universal Serial Bus (USB) interface, a Wi-Fi interface, a cellular network interface, and/or the like.
Device 300 may perform one or more processes described herein. Device 300 may perform these processes in response to processor 320 executing software instructions stored by a non-transitory computer-readable medium, such as memory 330 and/or storage component 340. A computer-readable medium is defined herein as a non-transitory memory device. The memory device includes memory space within a single physical memory device or memory space distributed among multiple physical memory devices.
The software instructions may be read into memory 330 and/or storage component 340 from another computer-readable medium or another device via communication interface 370. When executed, software instructions stored in memory 330 and/or storage component 340 may cause processor 320 to perform one or more processes described herein. Additionally or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to implement one or more processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software.
The number and arrangement of components shown in fig. 3 are provided as examples. In practice, device 300 may include additional components, fewer components, different components, or a different arrangement of components than those shown in FIG. 3. Additionally or alternatively, one set of components (e.g., one or more components) of device 300 may perform one or more functions described as being performed by another set of components of device 300.
FIG. 4 is a flow diagram of an example process 400 for optimizing security analysis on a network device. In some implementations, one or more of the process blocks of fig. 4 may be performed by network device 220. In some implementations, one or more of the process blocks of fig. 4 may be performed by another device or group of devices separate from network device 220 (such as client device 210, security analysis device 230, and server device 240), or including network device 220.
As shown in fig. 4, process 400 may include receiving content from a server device based on a request for content from a client device (block 410). For example, network device 220 may receive content from server device 240. In some implementations, the network device 220 may receive the content based on a request for the content from the client device 210.
In some implementations, the content may include executable files, documents, application files, packages, scripts, web content, text data, video data, audio data, and so forth. In some implementations, the request may include a particular type of request. For example, the request may include a hypertext transfer protocol (HTTP) request.
In some implementations, the request may include information associated with the request. For example, the request may include a Uniform Resource Identifier (URI) of the content, such as a Uniform Resource Locator (URL) or Uniform Resource Name (URN) of the content, an HTTP cookie (e.g., a web cookie, an internet cookie, a browser cookie, etc.), and so forth. Additionally or alternatively, the request may include information identifying the particular portion of content being requested (e.g., a block, a byte range, a time range of audio and/or video data, etc.). For example, the request may include start and end identifiers for a set of consecutive bytes of data, start and end times for audio/video data, and so on. Additionally or alternatively, the request may include information identifying the source of the request and/or the destination of the content, such as a source address, a source port, a destination address, or a destination port. Additionally or alternatively, for an email message, the request may include information identifying the sender, the recipient, the subject, the body of the email message, rich content related to the email message, a title, a link included in the email message, and so forth.
In some implementations, the network device 220 may receive encrypted content. For example, network device 220 may receive encrypted content from a hypertext transfer protocol secure (HTTPS) website. In some implementations, when the network device 220 receives the content, the network device 220 may decrypt the content using a decryption technique. In some implementations, the network appliance 220 may decrypt the content using a set of Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL) protocols. For example, the network device 220 may use a set of TLS and/or SSL protocols to identify data in multiple levels of encapsulation and/or encryption.
In some implementations, the network device 220 may determine whether the content includes personal information or other sensitive information. For example, personal information or other sensitive information may include information identifying a person's name and/or address, an identifier (e.g., a telephone number or social security number) identifying the person, bank account information, a particular type of information (e.g., even if not directly traceable to a particular individual), such as aggregated medical data, and so forth. In some implementations, the network device 220 may identify the content as including personal information or other sensitive information by parsing the content to identify the type of information included in the content, terms included in the content, identifiers associated with the content, and so forth. This allows the network device 220 to increase the privacy and security of personal information or other sensitive information when processing content, as described in more detail elsewhere herein.
In some implementations, the network device 220 may determine the caching capabilities of the content. In some implementations, the network device 220 may use information included in the response associated with the content to determine the cacheability of the content. For example, the network device 220 may use a content control field, an entity tag (e.g., ETag), a last modified value, an HTTP header of a response received in association with the content if an if-modified-nonce value, etc. to determine the cacheability of the content.
In some implementations, when the network device 220 determines that the content is cacheable, the network device 220 may cache the content for use with one or more other requests. Additionally or alternatively, network device 220 may stream the cached content to client device 210 (e.g., based on parameters negotiated by client device 210 and server device 240). In this manner, network device 220 conserves network resources by reducing the amount of content provided to network device 220 from server device 240. Further, in this manner, network device 220 conserves processing resources by reducing the amount of requests that network device 220 must provide to server device 240 and/or server device 240 must receive. Further, this allows for rapid analysis of content via pre-fetching and caching of content, as opposed to waiting for a content response from server device 240 upon request from client device 210.
In some implementations, the network device 220 may receive the request for content before receiving the content. For example, network device 220 may receive the request through an intermediary device between client device 210 and server device 240. In some implementations, network device 220 may process the request to identify the information included in the request. For example, network device 220 may process the request to identify the requested content, the scope of the requested content, the source of the request, and so on.
In some implementations, the network device 220 may apply the rule based on the request. For example, network device 220 may apply the rules based on information included in the request. In some implementations, network device 220 may perform actions when applying rules. For example, network device 220 may block the request, may provide the request to server device 240, may log the request (or information included in the request), may process the request (e.g., using cached content and not communicating with server device 240), and so on.
In some implementations, network device 220 may standardize the information included in the request (e.g., prior to providing the request to server device 240). In some implementations, the network device 220 may standardize information identifying the content being requested (e.g., the scope of the requested content). Continuing with the previous example, assume that the request is for a range of content from 999 th KB of the particular content to 1,099 th KB of the particular content. In this case, the network device 220 may normalize the range of the requested content such that the range of the requested content is from the 1 st KB of the specific content to the 2,000 th KB of the specific content.
In some implementations, when normalizing the scope of content identified by a request, the network device 220 may normalize the request based on a predefined scope of content. For example, assume that network device 220 has stored a predefined range of values for content for use in analyzing content received from server device 240. In this case, if the network device 220 receives a request for a subset of the predefined range for content, the network device 220 may normalize the request to include the entire predefined range (e.g., allowing easy comparison with the stored values of the predefined range).
To provide a specific example, network device 220 may determine that the request includes information identifying a content scope. In some implementations, and continuing the previous example, the network device 220 may determine that the scope of the content includes a portion of the predefined scope of the content. In some implementations, the network device 220 may normalize the request for content by modifying the request to include information identifying the predefined range such that the request for content is a request for the predefined range (e.g., rather than the range of content originally identified by the request). In this manner, network device 220 conserves memory resources by reducing the number of values that network device 220 must store, and increases the security of network 250 by improving the accuracy of analyzing received content by comparing the range of values of the content to previously stored values of the same range.
Additionally or alternatively, the network device 220 may standardize information included in the request to pre-fetch the content. For example, the network device 220 may expand the range of the requested content by a threshold amount to pre-fetch the content. In this manner, the network device 220 reduces the latency associated with requesting content because the network device 220 may preemptively process content to determine the classification of the content (e.g., malware, allowed content, etc.) before the client device 210 requests the content.
In some implementations, the network device 220 may receive multiple requests for the same content (e.g., from the same client device 210 or different client devices 210). In some implementations, when the network device 220 receives multiple requests for the same content, the network device 220 may combine the multiple requests into a single request for the content. This saves processing resources of network device 220 and server device 240 by reducing the processing of duplicate requests. Further, this conserves network resources by reducing the amount of duplicate content provided and/or received via network 250.
In this manner, the network device 220 may receive content from the server device 240 based on a request for content from the client device 210.
As further shown in fig. 4, process 400 may include determining a value of a portion of content (block 420). For example, the network device 220 may determine the value of a portion of the content using a hash function or another method of determining a value for the content. In some implementations, the network device 220 may determine the value after receiving the content from the server device 240.
In some implementations, the value may include a number, a string, an alphanumeric string, or the like. For example, the value may include a hash value, a message digest, a digital fingerprint, a digest, a checksum, and the like. In some implementations, the value may uniquely identify the content, a portion of the content, metadata associated with the content, and so forth.
In some implementations, the network device 220 may determine the value using a hash function (e.g., a cryptographic hash function). In some implementations, the hash function may include functionality that may be used to map data of an arbitrary size to data of a fixed size. By way of example, network device 220 may use one or more secure hash algorithm 2(SHA-2) cryptographic hash functions, such as SHA 1, SHA-224, or SHA-256. Additionally or alternatively, as another example, network device 220 may use message digest 5(MD5) or any other type of function and/or method for determining a value of content. In this manner, the network device 220 may quickly and efficiently determine a value that the network device 220 may use to identify a classification for the content.
Although the description herein focuses on using a hash function to determine the value, the description is not limited to using a hash function. In some implementations, another type of function may be used to determine the value, such as any function that may repeatedly generate the same, unique output based on the same input.
In some implementations, the network device 220 may determine multiple values for various portions of content. In some implementations, the network device 220 may determine multiple values for various sized portions of content. For example, network device 220 may determine a first value for a 1KB portion, a second value for a 10KB portion that includes the 1KB portion, a third value for a 100KB portion that includes the 10KB portion, and so on. In this manner, the network device 220 may determine the value of larger and larger portions of the content.
Additionally or alternatively, network device 220 may determine multiple values for various ranges of content. For example, the network device 220 may determine a first value for a first time range (e.g., when the content is audio or video data), a second value for a second time range that is greater than and includes the first time range, a third value for a third time range that is greater than and includes the second time range, and so on. In some implementations, various ranges may be predefined. For example, for audio and/or video data, the network device 220 may determine a first value for the first 10 seconds, determine a second value for the first 20 seconds, determine a third value for the first 30 seconds, etc., based on information identifying the predefined range as the first 10 seconds, the first 20 seconds, and the first 30 seconds. In this manner, the network device 220 may determine the value of larger and larger portions of the content.
In some implementations, the network device 220 may determine the value in a particular manner. For example, network device 220 may determine the values one at a time. Continuing with the previous example, the network device 220 may determine a first value for the first portion of content and perform a lookup of the first value, as described below. Continuing with the previous example, if the lookup fails to identify a classification result, network device 220 may determine a second value for a second portion (e.g., a larger portion). In this manner, network device 220 conserves processing resources of network device 220 by reducing the number of values that network device 220 may have to determine. Furthermore, this allows for optimizing the classification of the identified content by reducing or minimizing the amount of processing of the content required to identify the classification.
As another example, network device 220 may determine the value without waiting for the lookup result to be determined. For example, the network device 220 may determine a first value for a first portion of the content and a second value for a second portion of the content. Network device 220 may perform a lookup of the first value and/or the second value, as described below. The result of looking up the second value may be used to verify the result of the look-up of the first value. In this manner, the network device 220 improves the accuracy of the classification by verifying the accuracy of the previous lookup result using the subsequent lookup result.
In this manner, the network device 220 may use a hash function to determine the value of a portion of the content.
As further shown in fig. 4, process 400 may include performing a lookup of values in a data store to identify a classification of content (block 430). For example, the network device 220 may perform a lookup of values in a data store, a content store, a data structure, a memory resource storing metadata, a memory resource storing user-specific data, and so forth. In some implementations, the network device 220 may perform a lookup to identify a classification of the content.
In some implementations, the data store may include memory resources for storing values of portions of content and information identifying corresponding classifications of content. For example, the data store may store a value for a portion of the content and information identifying a classification of the content. In some implementations, the data store may be a local to network device 220. Rather, the data storage may be remote (e.g., on remote network device 220). In some implementations, the data storage may be distributed across multiple network devices 220. In some implementations, the data store may include information from analysis of previous content, information entered by a network administrator, and the like.
In some implementations, the classification can include information identifying a type of content. For example, the classification may include information identifying the type of content as unlicensed content (e.g., malware, such as adware, viruses, worms, phishing, etc.) or allowed content (e.g., merchandise, virus-free content, secure content, etc.), and so on. In some implementations, a particular classification may be associated with a particular action to be performed by network device 220. For example, the malware classification may be associated with an action that prevents content from being provided to the client device 210. As another example, the classification of the allowed content may be associated with an action that provides the content to the client device 210. This allows the network device 220 to determine the action to perform based on the classification of the content.
In some implementations, the classification may indicate whether the content is potentially harmful (e.g., indicating a likelihood of harm). For example, the classification of malware may indicate that the content is potentially harmful or meets a threshold probability of harm. As another example, the classification of the item may indicate a likelihood that the content is likely to be unharmed, or that a threshold that is not harmful is met.
In some implementations, the network device 220 may perform the lookup by performing the comparison. For example, network device 220 may perform a comparison of the determined value and a value stored in a data store (e.g., to determine whether the result of the comparison indicates a match).
In some implementations, the network device 220 may perform a search (e.g., rather than performing a lookup). For example, the network device 220 may use a robot, such as a web crawler, to determine whether the value matches a previously determined value stored on another device. This improves the identification of the classification by enabling the network device 220 to perform a search of values associated with the content to identify the classification.
In this manner, the network device 220 may perform a lookup of the determined values for a portion of the content.
As further shown in FIG. 4, process 400 may include determining whether the results of the lookup indicate a match or potential match (block 440). For example, the network device 220 may determine whether the results of the lookup indicate a match or a potential match.
In some implementations, the network device 220 may determine a match when the partially determined value of the content matches a value in the data store. In some implementations, the network device 220 may determine a potential match when the value determined by the metadata of the portion of the content matches a value in the data store. For example, the network device 220 may determine a potential match when the value of the metadata for a 1KB portion of content matches the value of the metadata for a 10KB portion of content in the data store. Continuing with the previous example, network device 220 may identify a match of values for metadata for the 1KB portion and the 10KB portion as a potential match, as matching metadata may indicate an increased likelihood: the 1KB portion and the 10KB portion are from the same content (e.g., based on having matching metadata). In other words, when the network device 220 is unable to match portions of content (e.g., due to differently sized portions), a potential match may include a match of metadata for the content portions. Additionally or alternatively, the network device 220 may determine that the results of the lookup do not indicate a match or a potential match.
In some implementations, when performing a lookup, the network device 220 may use a particular data store to determine a match. For example, when using the value of the 1KB portion of the content, the network device 220 may use a data storage that includes the values of various 1KB portions of the content. As another example, when using values for the 10KB portion of content, network device 220 may use a data store that includes values for various 10KB portions of content. This saves processing resources of the network device 220 that would otherwise be used to compare the value of a particular sized portion of content with the value of a different sized portion of content.
In this manner, the network device 220 may determine whether the result of the lookup indicates a match or a potential match.
As further shown in fig. 4, process 400 may include determining whether to provide the value, or a portion of the content corresponding to the value, to the security analysis device to allow the security analysis device to determine a classification of the content (block 450). For example, the network device 220 may determine whether to provide the value or a portion of the content corresponding to the value to the security analysis device 230 to allow the security analysis device 230 to determine the classification of the content.
In some implementations, the network device 220 may determine whether to provide a value or a portion of the content based on the results of performing the lookup. In some implementations, the network device 220 may determine not to provide the value or the portion of the content when the lookup result indicates a match. In some implementations, the network device 220 may provide a value or portion of content when the lookup result indicates a potential match or mismatch.
In some implementations, when the network device 220 determines to provide a value or portion of content, the network device 220 may provide the value prior to providing the portion of content. For example, the network device 220 may provide the value prior to providing the portion of the content to allow the security analysis device to analyze the value to determine the classification of the content. This saves network resources when, for example, providing this value consumes less network resources relative to providing the portion of the content.
In some implementations, when network device 220 determines to provide a value or portion of content, network device 220 may provide the portion of content when network device 220 receives an indication that security analysis device 230 cannot determine a classification based on the value.
In some implementations, the security analysis device 230 may attempt to determine the classification of the content based on a value or portion of the content provided to the security analysis device 230 by the network device 220. In some implementations, when the security analysis device 230 is unable to determine the classification based on the portion of the content and the value determined for the portion of the content, the network device 220 may provide the content and is not a portion of the content (e.g., the entire content requested). In this manner, network device 220 may optimize the identification of content classifications. In addition, this saves processing resources of the security analysis device 230 and network resources of the network 250.
In some implementations, when the content includes personal information or other sensitive information, the network device 220 may determine a value to provide the content (e.g., rather than the content or portions of the content). This increases the privacy and/or security of the content by preventing the network device 220 from providing the content to another device when the content includes personal information or other sensitive information.
In this manner, the network device 220 may determine whether to provide the value to the security analysis device 230 or the portion of the content corresponding to the value.
As further shown in fig. 4, process 400 may include determining a classification of the content based on performing a lookup, or based on providing a value or portion of the content to a security analysis device (block 460). For example, the network device 220 may determine a classification of the content. In some implementations, the network device 220 may determine the classification of the content based on performing a lookup and/or providing a value or portion of the content to the security analysis device 230.
In some implementations, when the lookup result indicates a match, the network device 220 may determine the classification using corresponding information in the data store that identifies the classification. For example, assume that network device 220 performs a lookup of a value determined for a portion of content, and the lookup results in a match. In this case, network device 220 may determine the classification of the content (e.g., as malware) based on information in the data store associated with the value identifying the classification as malware. This reduces or eliminates the need for the network device 220 to use externally stored information to determine the classification, thereby saving network resources, reducing latency, and/or saving processing resources of another device.
In some implementations, the network device 220 may determine the classification based on information received from the security analysis device 230. For example, the security analysis device 230 may process the value, the content portion, or the entire content to determine a classification, and may have provided information identifying the classification to the network device 220. In this way, the network device 220 may use another device to determine the classification, thereby improving the determination of the classification because the other device may perform a more robust analysis.
In this manner, the network device 220 may determine the classification of the content based on performing a lookup, or based on providing the content, a portion of the content, or a value determined for the content to the security analysis device 230.
As further shown in fig. 4, process 400 may include, after determining the classification of the content, performing an action based on the classification of the content (block 470). For example, the network device 220 may perform an action based on the classification of the content. In some implementations, the network device 220 may perform the action after determining the classification of the content.
In some implementations, the network device 220 may allow content by providing the content to the client device 210. Additionally or alternatively, network device 220 may store values, content, and/or information indicating the classification of content in the data store. For example, when the network device 220 must provide a value or corresponding portion to the security analysis device 230, the network device 220 may store the value and/or identify the categorized information (e.g., as determined by the security analysis device 230). This saves processing resources of the network device 220 and the security analysis device 230, and/or saves network resources, by reducing or eliminating the need for the network device 220 to provide information associated with the same content to the security analysis device 230 multiple times. Additionally or alternatively, the network device 220 may block content by preventing content from being provided to the client device 210, by dropping packets associated with content, and so forth.
Additionally or alternatively, the network device 220 may record information associated with the content (e.g., source of the request, source of the content, classification of the content, etc.). In some implementations, the network device 220 may generate a report that includes the information, and may provide the report for display (e.g., via display of the client device 210). Additionally or alternatively, the network device 220 may trigger an alert based on the classification (such as when the classification of the content is malware).
Additionally or alternatively, network device 220 may send a message (e.g., an email, a Short Message Service (SMS) message, etc.) to client device 210 with information indicating the classification. Additionally or alternatively, the network device 220 may provide information related to the content or the classification of the content for display (e.g., via a display of the client device 210). Additionally or alternatively, the first network device 220 may provide information to the second network device 220 such that the second network device 220 has information related to the results of the analysis of the content performed by the first network device 220, thereby improving future analysis by the second network device 220.
Additionally or alternatively, the network device may record the metrics. For example, network device 220 may record metrics related to: the amount of content processed or provided to the security analysis device 230, the number of values processed or provided to the security analysis device 230, CPU utilization of the network device 220 and/or the security analysis device 230, memory resource utilization of the network device 220 and/or the security analysis device 230, and/or information identifying a timer event to provide or retry to the security analysis device 230 to provide or retry to provide the content and/or values associated with the content. In some implementations, the network device 220 may provide information identifying the metric (e.g., for display or in a report). Additionally or alternatively, the network device 220 may determine whether to provide content and/or values to the security analysis device 230 or the client device 210 based on the metric (e.g., when the metric satisfies a threshold).
In this manner, network device 220 may perform actions based on the classification of the content.
Although fig. 4 shows example blocks of the process 400, in some implementations, the process 400 may include additional blocks, fewer blocks, different blocks, or a different arrangement of blocks than those described in fig. 4. Additionally or alternatively, two or more blocks of process 400 may be performed in parallel.
Fig. 5A and 5B are diagrams of an example implementation 500 related to the example process 400 shown in fig. 4. Fig. 5A and 5B illustrate an example implementation of optimizing security analysis on a network device.
As shown in fig. 5A, and by reference numeral 502, the client device 210 and the server device 240 can perform a handshake for a range of content. For example, client device 210 and server device 240 may perform a handshake to determine a byte range or time range of content. In some implementations, client device 210 and server device 240 may perform a handshake via network device 220. For example, network device 220 and server device 240 may perform a handshake for the scope of the content.
As indicated by reference numeral 504, the network device 220 may receive a request for content (e.g., to the server device 240) and may standardize the requested scope of the content. As indicated by reference numeral 506, the network device 220 may apply a content policy to the request for content. For example, network device 220 may block the request or allow the request based on information included in the request. As indicated by reference numeral 508, the network device 220 may receive content. For example, network device 220 may receive content from server device 240 based on providing a request to server device 240. As indicated by reference numeral 510, the network device 220 may calculate values for 1KB, 10KB, 100KB, and 1MB of content. For example, network device 220 may calculate the values in a manner similar to that described elsewhere herein. In some implementations, network device 220 may compute the values sequentially or may compute at least some of the values in parallel.
As indicated by reference numeral 512, the network device 220 may perform a lookup of values in a data store. For example, the data store may be locally stored, remotely stored, or distributed, and may include previously determined values for portions of the content. As indicated by reference numeral 514, the network device 220 may determine whether the data store stores a value based on performing a lookup.
If the network device 220 determines that the data store stores a value (reference 514 — yes), the network device 220 may determine whether the data store stores information identifying a classification (e.g., a classification of content), as indicated by reference 516. As indicated by reference numeral 518, if network device 220 determines that the data store stores information identifying a classification (reference numeral 516 — yes), network device 220 may perform an action based on the classification. For example, the network device 220 may provide content, block content, or generate a report that includes information identifying a category. As indicated by reference numeral 520, if the network device 220 determines that the data store does not store a classification of content, the network device 220 may add the content and/or a value of the content to the data store (e.g., for future analysis).
As shown by reference numeral 522, if the network device 220 determines that the data store does not store a value (reference numeral 514 — no), the network device 220 may determine whether there is a potential match for the value. For example, network device 220 may determine whether there is a potential match for the value in a manner similar to that described elsewhere herein.
As shown in fig. 5B and by reference numeral 524, if the network device 220 determines that the data store stores a potential match for the value (reference numeral 522 — yes), the network device 220 may remove the indication to provide the content to the security analysis device 230 and proceed to reference numeral 526. In other words, the network device 220 may determine not to provide the content to the security analysis device 230. As shown by reference numeral 526, if the network device 220 determines that the data store does not include a potential match for the value (reference numeral 522 — no), the network device 220 may add the content and/or the value determined for the content to the data store, may provide the content to the security analysis device 230 (e.g., for further analysis), and may proceed to reference numeral 528.
As indicated by reference numeral 528, the network device 220 may determine whether the entire content (e.g., the entire requested content) was received. If the network device 220 determines that the entire content has not been received, the network device 220 may continue to receive the content, as indicated by reference numeral 508 in FIG. 5A, and may proceed as described above. As shown by reference numeral 530, if the network device 220 determines that the entire content was received (reference numeral 528-yes), the network device 220 may determine whether the network device 220 has stored the content in the data store.
As indicated by reference numeral 532, if the network device 220 determines that the content is stored in the data store, the network device 220 may determine whether the data store stores information identifying a classification of the content. As indicated by reference numeral 534, if the network device 220 determines that the data store stores information identifying a content classification (reference numeral 532 — yes), the network device 220 may perform an action based on the classification identified by the information and may proceed to reference numeral 538. For example, the network device 220 may provide content, block content, or generate reports related to the content to the client device 210.
As indicated by reference numeral 536, if the network device 220 determines that the data store does not store content, the network device 220 may add the content and/or a value of the content to the data store (e.g., to allow for future analysis of the content). As indicated by reference numeral 538, the network device 220 may add information identifying the content to the pending list. For example, the pending list may identify content for which network device 220 has not determined a classification and/or for which network device 220 may be waiting to receive information identifying a content classification from security analysis device 230.
As noted above, fig. 5A and 5B are provided as examples only. Other examples are possible and may differ from what is described with respect to fig. 5A and 5B.
FIG. 6 is a diagram of an example implementation 600 related to the example process 400 shown in FIG. 4. Fig. 6 illustrates an example of receiving a response from the security analysis device 230 regarding value analysis (e.g., when the network device 220 does not have values stored in the data store).
As shown in fig. 6, and by reference numeral 605, the network device 220 may receive a response related to the value from the security analysis device 230. For example, the response may include information identifying a result of analyzing a portion of the value of the content provided by network device 220 to security analysis device 230. As indicated by reference numeral 610, the network device 220 may determine whether the security analysis device 230 has a value stored in the data store of the security analysis device 230 (e.g., based on information included in the response).
As shown by reference numeral 615, if the network device 220 determines that the security analysis device 230 has a value stored in a data store associated with the security analysis device 230 (reference numeral 610 — yes), the network device 220 may update the data store associated with the network device 220 with information identifying the content classification (e.g., determined from information included in the response from the security analysis device 230). As shown by reference numeral 620, the network device 220 may determine that content for which a value is determined is pending (e.g., not yet provided to the client device 210, identified by a pending content list, etc.). As shown by reference numeral 625, if the network device 220 determines that the content is pending (reference numeral 620 — yes), the network device 220 may process the content based on the information identifying the classification received from the security analysis device 230. For example, the network device 220 may provide content, quarantine content, discard content, and the like to the client device 210.
As shown by reference numeral 630, if the network device 220 determines that the security analysis device 230 does not store the value (reference numeral 610 — no), the network device 220 may determine whether the security analysis device 230 already stores a potential match. If network device 220 determines that security analysis device 230 has stored a potential match for the value, network device 220 may perform one or more actions. For example, and as shown by reference numeral 635 (reference numeral 630-is-1), the network device 220 may provide the pending content to the security analysis device 230 for analysis. As another example, and as shown by reference numeral 640 (reference numeral 630-is-2), the network device 220 may update the data store with a value for a potential match (e.g., a value of metadata for the content).
In this manner, the network device 220 may receive a response from the security analysis device 230 based on providing the values for analysis to the security analysis device 230.
As noted above, fig. 6 is provided by way of example only. Other examples are possible and may differ from that described with respect to fig. 6.
FIG. 7 is a diagram of an example implementation 700 related to the example process 400 shown in FIG. 4. Fig. 7 shows an example of pre-acquisition of content.
As shown in fig. 7, and by reference numeral 705, the network device 220 may add content to the data store and may set an indication (e.g., a flag) to provide the content to the security analysis device 230. As indicated by reference numeral 710, the network device 220 may determine whether to provide the content. For example, the network device 220 may determine whether to provide content to the security analysis device 230 in a manner similar to that described above.
As shown by reference numeral 715, if the network device 220 determines not to provide the content to the security analysis device 230 (reference numeral 710 — no), the network device 220 may perform an analysis of the content. For example, the network device 220 may determine a value of a portion of the content and may perform a lookup using the value.
As shown by reference numeral 720, if the network device 220 determines to provide content to the security analysis device 230 (reference numeral 710 — yes), the network device 220 may provide the content to the security analysis device 230 based on setting the indication. For example, the network device 220 may provide the content to the security analysis device 230 to allow the security analysis device 230 to analyze the content (e.g., to determine a classification of the content). As indicated by reference numeral 725, the network device 220 may add information identifying the content to a pending content list and/or add the content to a pending content data store (e.g., while waiting for analysis results from the security analysis device 230).
As indicated by reference numeral 730, the network device 220 may determine whether to pre-fetch content from the server device 240. For example, the network device 220 may determine whether to pre-fetch the content based on the type of content, the content range of the requested content, and so on. As shown by reference numeral 735, if the network device 220 determines that the content is not to be pre-acquired (reference numeral 730 — no), the network device 220 may perform an action related to the content (e.g., previously received content). For example, the network device 220 may provide content to the client device 210 without pre-fetching additional content.
As indicated by reference numeral 740, if the network device 220 determines to pre-fetch the content (reference numeral 730-yes), the network device 220 may pre-fetch an adjacent range of content to the originally requested content range. As indicated by reference numeral 745, the network device 220 may add information identifying the pre-fetched content to a pending content list and/or add the pre-fetched content to a pending content data store (e.g., when the network device 220 waits for security analysis while the device 230 analyzes the content).
In some implementations, after pre-fetching the content, the network device 220 may perform a lookup of the content in the local data store to determine a match of the content (e.g., to allow classification of the content). In some implementations, if the network device 220 is unable to determine a match for the content, the network device 220 may add the value of the content to a local data store and may provide the content to the security analysis device 230 for analysis.
In this manner, the network device 220 may pre-fetch content associated with the requested content.
As noted above, fig. 7 is provided by way of example only. Other examples are possible and may differ from that described with respect to fig. 7.
FIG. 8 is a diagram of an example implementation 800 related to the example process 400 shown in FIG. 4. Fig. 8 shows an example of determining when to provide content to the security analysis device 230 for analysis.
As shown in fig. 8, and by reference numeral 805, the network device 220 may detect a storage event related to the content (e.g., receiving the content, pre-fetching the content, receiving new content, etc.). In some implementations, after detecting the storage event, the network device 220 may determine whether a data store associated with the network device 220 includes the content or a value for the content. As indicated by reference numeral 810, the network device 220 may determine whether a threshold amount of time has elapsed (e.g., a timeout) without finding content or a value for the content in the data store. As shown by reference numeral 815, if the network device 220 determines that a threshold amount of time has not elapsed and the content or the value of the content is not found in the data store (reference numeral 810 — no), the network device 220 may proceed to determine whether the content or the value of the content is stored in the data store.
As indicated by reference numeral 820, if the network device 220 determines that a threshold amount of time has elapsed without the content or value of the content being found in the data store (reference numeral 810 — yes), the network device 220 may provide the content or value of the content to the security analysis device 230 for analysis. As indicated by reference numeral 825, the network device 220 may determine whether there is a failure with respect to providing the content or the value of the content to the security analysis device 230. For example, the network device 220 may be unable to provide the content due to an error of the network device 220, congestion of the network 250, and the like. As shown by reference numeral 830, if the network device 220 determines that there is no failure with respect to providing the content or the value of the content (reference numeral 825 — no), the network device 220 may receive or wait to receive the analysis result from the security analysis device 230. For example, the network device 220 may receive or wait to receive the results of the security analysis device 230 analyzing the content. As shown by reference numeral 835, if the network device 220 determines that there is a failure with respect to providing the content or the value of the content (reference numeral 825 — yes), the network device 220 may generate a report indicating that there is a failure and may add the content or the value of the content to a retry queue (e.g., to cause the network device 220 to retry providing the content to the security analysis device 230).
In this manner, the network device 220 may determine when to provide content to the security analysis device 230.
As noted above, fig. 8 is provided as an example only. Other examples are possible and may differ from that described with respect to fig. 8.
FIG. 9 is a diagram of an example implementation 900 related to the example process 400 shown in FIG. 4. Fig. 9 shows an example of a data store that may be used by network device 220.
As shown in FIG. 9, example implementation 900 may include one or more network devices (e.g., network device 220-0 through network device 220-N) and one or more data stores (e.g., data store 0 through data store N). As indicated by reference numeral 910, one or more logically or physically distributed network devices 220 (e.g., network devices 220-0 through 220-N) may store one or more data stores. In some implementations, network device 220 may be connected such that a first network device 220 (e.g., network device 220-0) may access information in a data store of a second network device 220 (e.g., network device 220-1).
In some implementations, the data store may store objects, such as content (e.g., full or partial content), values of the content (or metadata associated with the content), and so forth. In some implementations, the network device 220 may use a timer to record the amount of time that an object has been stored in the data store, the amount of time from the last lookup of the object, and so on. In some implementations, the network device 220 may remove objects from the data store after a threshold amount of time has elapsed (e.g., objects that are less frequently used relative to other objects may be removed). This saves memory resources associated with the data store and/or allows faster object lookup by reducing the number of objects in the data store, which saves processing resources of the network device 220.
In this manner, the network device 220 may use a data store stored by another network device 220.
As described above, fig. 9 is provided as an example only. Other examples are possible and may be different than that described with respect to fig. 9. For example, a single network device 220 may store data stores 0 through N, devices other than network device 220 may store one or more of data stores 0 through N, and so on.
Implementations described herein enable a network device to determine a classification of content associated with performing a security function by determining a value (e.g., digest) of the content and using the value to determine the classification. Further, implementations described herein can optimize the use of multiple values for various sized portions of content to reduce the number of values determined for the content. In this manner, the network device reduces the amount of content that needs to be processed by the network device to determine the classification of the content, thereby saving processing resources and reducing latency. Further, in this manner, the network device reduces the amount of information that may have to be sent to the security analysis device for processing (e.g., when the network device fails to determine the classification of the content), thereby saving network resources and improving network performance.
As used herein, the term "traffic" or "content" may include a set of packets. A packet may refer to a communication structure used to communicate information such as a Protocol Data Unit (PDU), a network packet, a datagram, a segment, a message, a block, a cell, a frame, a subframe, a slot, a symbol, a portion of any of the above, and/or another type of formatted or unformatted data unit that may be transmitted via a network.
Although implementations are described herein with reference to content, implementations are not limited to content or content-related protocols. For example, implementations may apply to Hypertext transfer protocol (HTTP), HTTP secure (HTTPS), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), Post Office Protocol (POP), ActiveSync, Gmail push, and/or any other type of protocol. Further, Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) variants are implemented that may be applied to the previously described protocols.
The foregoing disclosure provides illustration and description, but is not intended to be exhaustive or to limit the implementations to the precise form disclosed. Modifications and variations are possible in light of the above disclosure or may be acquired from practice of the implementations.
The term component, as used herein, is intended to be broadly interpreted as hardware, firmware, and/or a combination of hardware and software.
Some implementations are described herein in connection with thresholds. As used herein, meeting a threshold may refer to a value that is greater than the threshold, greater than or equal to the threshold, less than or equal to the threshold, and the like.
It is apparent that the systems and/or methods described herein may be implemented in various forms of hardware, firmware, or a combination of hardware and software. The actual specialized control hardware or software code used to implement these systems and/or methods is not limiting of implementation. Thus, the operation and behavior of the systems and/or methods described herein have not been described with reference to the specific software code-it being understood that software and hardware may be designed to implement the systems and/or methods based on the description herein.
Even if combinations of features are recited in the claims and/or disclosed in the description, these combinations are not intended to limit the disclosure of possible implementations. In fact, many of these features may be combined in ways not specifically recited in the claims and/or disclosed in the specification. Although each dependent claim listed below may be directly dependent on only one claim, the disclosure of possible implementations includes each dependent claim in combination with each other claim in the claims.
No element, act, or instruction used herein should be construed as critical or essential unless explicitly described as such. In addition, the articles "a" and "an" as used herein are intended to include one or more items, and may be used interchangeably with "one or more". Further, the term "collection" as used herein is intended to include one or more items (e.g., related items, unrelated items, combinations of related and unrelated items, etc.) and may be used interchangeably with "one or more". If only one item is desired, the term "one" or similar language is used. Furthermore, the terms "having," "containing," and the like, as used herein, are intended to be open-ended terms. Further, the phrase "based on" is intended to mean "based, at least in part, on" unless explicitly stated otherwise.

Claims (20)

1. A method, comprising:
determining, by a first device, a first value of a first portion of content;
performing, by the first device, a first lookup of the first value to identify a classification of the content;
determining, by the first device, that the first lookup fails to identify a classification result;
determining, by the first device, a second value for the second portion of the content based on determining that the first lookup fails to identify the classification result,
the second portion of the content is larger than the first portion of the content;
performing, by the first device, a second lookup of the second value to identify the classification of the content;
selectively:
determining, by the first device, the classification of the content by providing the second value or the second portion of the content to a second device based on the second lookup not indicating a match; or
Determining, by the first device, the classification of the content based on the second lookup indicating a match; and
performing, by the first device, one or more actions with respect to the content based on the classification of the content.
2. The method of claim 1, wherein determining the first value comprises:
determining the first value using a hash function.
3. The method of claim 1, wherein determining the classification of the content by providing the second value or the second portion of the content to the second device comprises:
providing the second portion of the content to the second device based on the second device failing to identify the classification of the content using the second value.
4. The method of claim 1, wherein performing the one or more actions based on the classification of the content comprises:
based on the content being classified as malware, preventing the content from being provided to a third device; or
Allowing the content to be provided to the third device based on the content not being classified as malware.
5. The method of claim 1, wherein performing the first lookup comprises:
performing the first lookup in a data store;
wherein performing the second lookup comprises:
performing the second lookup in the data storage; and is
Wherein the method further comprises:
based on determining the classification of the content by providing the second value or the second portion of the content to the second device, updating the data store with information identifying the classification of the content.
6. The method of claim 1, further comprising:
providing the second portion of the content to the second device;
based on providing the second portion of the content to the second device, adding information identifying the second portion of the content to a pending content list or a pending data store; and
receiving an analysis of a second portion of the content after adding the information identifying the second portion of the content to the pending content list or the pending data store.
7. The method of claim 1, further comprising:
based on performing the second lookup, determining whether a threshold amount of time has elapsed without finding a match; and
wherein determining the classification of the content by providing the second value or the second portion of the content to the second device comprises:
determining the classification of the content by providing the second value or the second portion of the content to the second device based on determining that the threshold amount of time has elapsed without finding a match.
8. A first device, comprising:
one or more memories; and
one or more processors communicatively coupled to the one or more memories, the one or more processors configured to:
determining a first value for a first portion of content;
performing a first lookup of the first value to identify a classification of the content;
determining that the first lookup fails to identify a classification result;
determining a second value for a second portion of the content based on determining that the first lookup fails to identify the classification result,
the second portion of the content is larger than the first portion of the content;
performing a second lookup of the second value to identify the classification of the content;
selectively:
determining the classification of the content by providing the second value or the second portion of the content to a second device based on the second lookup not indicating a match; or
Determining the classification of the content based on the second lookup indicates a match; and
based on the classification of the content, performing one or more actions with respect to the content.
9. The first device of claim 8, wherein the one or more processors, in determining the first value, are configured to:
determining the first value using a hash function.
10. The first device of claim 8, wherein the one or more processors, in determining the classification of the content by providing the second value or the second portion of the content to the second device, are configured to:
providing the second portion of the content to the second device based on the second device failing to identify the classification of the content using the second value.
11. The first device of claim 8, wherein the one or more processors, when performing the one or more actions based on the classification of the content, are configured to:
based on the content being classified as malware, preventing the content from being provided to a third device; or
Allowing the content to be provided to the third device based on the content not being classified as malware.
12. The first device of claim 8, wherein the one or more processors, when performing the first lookup, are configured to:
performing the first lookup in a data store;
wherein the one or more processors, when performing the second lookup, are configured to:
performing the second lookup in the data storage; and
wherein the one or more processors are further configured to:
based on determining the classification of the content by providing the second value or the second portion of the content to the second device, updating the data store with information identifying the classification of the content.
13. The first device of claim 8, wherein the one or more processors are further configured to:
providing the second portion of the content to the second device;
based on providing the second portion of the content to the second device, adding information identifying the second portion of the content to a pending content list or a pending data store; and
receiving an analysis of a second portion of the content after adding the information identifying the second portion of the content to the pending content list or the pending data store.
14. The first device of claim 8, wherein the one or more processors are further configured to:
based on performing the second lookup, determining whether a threshold amount of time has elapsed without finding a match; and is
Wherein the one or more processors, in determining the classification of the content by providing the second value or the second portion of the content to the second device, are configured to:
based on determining that the threshold amount of time has elapsed without finding a match, determining the classification of the content by providing the second value or the second portion of the content to the second device.
15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors of a first device, cause the one or more processors to:
determining a first value for a first portion of content;
performing a first lookup of the first value to identify a classification of the content;
determining that the first lookup fails to identify a classification result;
determining a second value for a second portion of the content based on determining that the first lookup fails to identify the classification result,
the second portion of the content is larger than the first portion of the content;
performing a second lookup of the second value to identify the classification of the content;
selectively:
determining the classification of the content by providing the second value or the second portion of the content to a second device based on the second lookup not indicating a match; or
Determining the classification of the content based on the second lookup indicates a match; and
based on the classification of the content, performing one or more actions with respect to the content.
16. The non-transitory computer-readable medium of claim 15, wherein the one or more instructions that cause the one or more processors to determine the first value cause the one or more processors to:
determining the first value using a hash function.
17. The non-transitory computer-readable medium of claim 15, wherein the one or more instructions that cause the one or more processors to determine the classification of the content by providing the second value or the second portion of the content to the second device cause the one or more processors to:
providing the second portion of the content to the second device based on the second device failing to identify the classification of the content using the second value.
18. The non-transitory computer-readable medium of claim 15, wherein the one or more instructions that cause the one or more processors to perform the one or more actions based on the classification of the content cause the one or more processors to:
based on the content being classified as malware, preventing the content from being provided to a third device; or
Allowing the content to be provided to the third device based on the content not being classified as malware.
19. The non-transitory computer-readable medium of claim 15, wherein the one or more instructions that cause the one or more processors to perform the first lookup cause the one or more processors to:
performing the first lookup in a data store;
wherein the one or more instructions that cause the one or more processors to perform the second lookup cause the one or more processors to:
performing the second lookup in the data storage; and
wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
based on determining the classification of the content by providing the second value or the second portion of the content to the second device, updating the data store with information identifying the classification of the content.
20. The non-transitory computer-readable medium of claim 15, wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
providing the second portion of the content to the second device;
based on providing the second portion of the content to the second device, adding information identifying the second portion of the content to a pending content list or a pending data store; and
receiving an analysis of a second portion of the content after adding the information identifying the second portion of the content to the pending content list or the pending data store.
CN202011562406.0A 2017-03-29 2017-11-15 Content-based optimization and pre-acquisition mechanism for security analysis of network devices Active CN112565299B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011562406.0A CN112565299B (en) 2017-03-29 2017-11-15 Content-based optimization and pre-acquisition mechanism for security analysis of network devices

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US15/472,535 2017-03-29
US15/472,535 US10554684B2 (en) 2017-03-29 2017-03-29 Content-based optimization and pre-fetching mechanism for security analysis on a network device
CN201711129036.XA CN108696494B (en) 2017-03-29 2017-11-15 Content-based optimization and pre-fetch mechanism for security analysis of network devices
CN202011562406.0A CN112565299B (en) 2017-03-29 2017-11-15 Content-based optimization and pre-acquisition mechanism for security analysis of network devices

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201711129036.XA Division CN108696494B (en) 2017-03-29 2017-11-15 Content-based optimization and pre-fetch mechanism for security analysis of network devices

Publications (2)

Publication Number Publication Date
CN112565299A true CN112565299A (en) 2021-03-26
CN112565299B CN112565299B (en) 2023-11-03

Family

ID=60569704

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201711129036.XA Active CN108696494B (en) 2017-03-29 2017-11-15 Content-based optimization and pre-fetch mechanism for security analysis of network devices
CN202011562406.0A Active CN112565299B (en) 2017-03-29 2017-11-15 Content-based optimization and pre-acquisition mechanism for security analysis of network devices

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201711129036.XA Active CN108696494B (en) 2017-03-29 2017-11-15 Content-based optimization and pre-fetch mechanism for security analysis of network devices

Country Status (3)

Country Link
US (2) US10554684B2 (en)
EP (1) EP3382589A1 (en)
CN (2) CN108696494B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10387676B2 (en) * 2015-09-14 2019-08-20 Viasat, Inc. Machine-driven crowd-disambiguation of data resources
US10554684B2 (en) 2017-03-29 2020-02-04 Juniper Networks, Inc. Content-based optimization and pre-fetching mechanism for security analysis on a network device
US10929878B2 (en) * 2018-10-19 2021-02-23 International Business Machines Corporation Targeted content identification and tracing
US11709932B2 (en) 2019-01-31 2023-07-25 Rubrik, Inc. Realtime detection of ransomware
US11599629B2 (en) * 2019-01-31 2023-03-07 Rubrik, Inc. Real-time detection of system threats
US11196837B2 (en) * 2019-03-29 2021-12-07 Intel Corporation Technologies for multi-tier prefetching in a context-aware edge gateway
US11537678B1 (en) * 2021-08-31 2022-12-27 International Business Machines Corporation Fast-tracking of web requests using a request digest

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1759396A (en) * 2003-03-13 2006-04-12 皇家飞利浦电子股份有限公司 Improved data retrieval method and system
US20140254379A1 (en) * 2011-11-30 2014-09-11 Juniper Networks, Inc. Traffic classification and control on a network node
US20150215326A1 (en) * 2006-07-10 2015-07-30 Websense, Inc. System and method for analyzing web content
CN105897589A (en) * 2015-02-12 2016-08-24 英特尔公司 Technologies for concurrency of CUCKOO hashing flow lookup

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7203959B2 (en) 2003-03-14 2007-04-10 Symantec Corporation Stream scanning through network proxy servers
US7462258B2 (en) * 2005-06-29 2008-12-09 Kimberly-Clark Worldwide, Inc. Paper towel with superior wiping properties
US7624436B2 (en) * 2005-06-30 2009-11-24 Intel Corporation Multi-pattern packet content inspection mechanisms employing tagged values
US7979460B2 (en) * 2006-02-15 2011-07-12 Sony Computer Entainment America Inc. Systems and methods for server management
MX2008012891A (en) * 2006-04-06 2009-07-22 Smobile Systems Inc Malware detection system and method for limited access mobile platforms.
US8607066B1 (en) 2008-08-04 2013-12-10 Zscaler, Inc. Content inspection using partial content signatures
US8737619B2 (en) * 2008-11-07 2014-05-27 Telefonaktiebolaget L M Ericsson (Publ) Method of triggering location based events in a user equipment
US8700892B2 (en) * 2010-03-19 2014-04-15 F5 Networks, Inc. Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion
WO2011130510A1 (en) 2010-04-16 2011-10-20 Sourcefire, Inc. System and method for near-real time network attack detection, and system and method for unified detection via detection routing
US9171088B2 (en) * 2011-04-06 2015-10-27 Google Inc. Mining for product classification structures for internet-based product searching
US8893253B2 (en) * 2011-11-29 2014-11-18 Bayshore Networks, Inc. Firewall apparatus, systems, and methods employing detection of application anomalies
US20140025437A1 (en) * 2012-07-13 2014-01-23 Quosal, Llc Success guidance method, apparatus, and software
US9703214B2 (en) * 2013-07-19 2017-07-11 Canon Kabushiki Kaisha Lithography apparatus, lithography method, and article manufacturing method
CN103632069B (en) * 2013-11-19 2017-02-01 北京奇安信科技有限公司 Terminal safety managing method and device in internal network
US11403673B2 (en) * 2014-02-13 2022-08-02 Apple Inc. Valuation of invitational content slots based on user attentiveness
GB2530272B (en) * 2014-09-16 2020-10-07 Nottingham Scient Limited GNSS Jamming Signal Detection
DE102015200348A1 (en) * 2015-01-13 2016-07-14 Zf Friedrichshafen Ag Adjustable damper valve device
KR101713426B1 (en) * 2015-07-24 2017-03-08 전남대학교산학협력단 Light emitting diode and method for fabricating thereof
US10031949B2 (en) * 2016-03-03 2018-07-24 Tic Talking Holdings Inc. Interest based content distribution
US10282368B2 (en) * 2016-07-29 2019-05-07 Symantec Corporation Grouped categorization of internet content
US10554684B2 (en) 2017-03-29 2020-02-04 Juniper Networks, Inc. Content-based optimization and pre-fetching mechanism for security analysis on a network device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1759396A (en) * 2003-03-13 2006-04-12 皇家飞利浦电子股份有限公司 Improved data retrieval method and system
US20150215326A1 (en) * 2006-07-10 2015-07-30 Websense, Inc. System and method for analyzing web content
US20140254379A1 (en) * 2011-11-30 2014-09-11 Juniper Networks, Inc. Traffic classification and control on a network node
CN105897589A (en) * 2015-02-12 2016-08-24 英特尔公司 Technologies for concurrency of CUCKOO hashing flow lookup

Also Published As

Publication number Publication date
EP3382589A1 (en) 2018-10-03
US11632389B2 (en) 2023-04-18
CN108696494B (en) 2021-02-12
US10554684B2 (en) 2020-02-04
CN112565299B (en) 2023-11-03
US20180288089A1 (en) 2018-10-04
CN108696494A (en) 2018-10-23
US20200153853A1 (en) 2020-05-14

Similar Documents

Publication Publication Date Title
CN108696494B (en) Content-based optimization and pre-fetch mechanism for security analysis of network devices
US11985163B2 (en) Security appliance
US10445502B1 (en) Susceptible environment detection system
EP2865165B1 (en) Method and device for secure content retrieval
US10027691B2 (en) Apparatus and method for performing real-time network antivirus function
US11539750B2 (en) Systems and methods for network security memory reduction via distributed rulesets
JP5610451B2 (en) Individual validity period for computer file reputation scores
US20190332771A1 (en) System and method for detection of malicious hypertext transfer protocol chains
US8850584B2 (en) Systems and methods for malware detection
US20120222117A1 (en) Method and system for preventing transmission of malicious contents
US20140196144A1 (en) Method and Apparatus for Detecting Malicious Websites
RU2653241C1 (en) Detecting a threat of a zero day with the use of comparison of a leading application/program with a user agent
US8910269B2 (en) System, method, and computer program product for preventing communication of unwanted network traffic by holding only a last portion of the network traffic
WO2018076697A1 (en) Method and apparatus for detecting zombie feature
US20210029140A1 (en) Detection and prevention of hostile network traffic flow appropriation and validation of firmware updates
US11057347B2 (en) Filtering data using malicious reference information
US9465921B1 (en) Systems and methods for selectively authenticating queries based on an authentication policy
WO2022156293A1 (en) Method and apparatus for processing alert log, and storage medium
CN108604273B (en) Preventing malware downloads
US10805300B2 (en) Computer network cross-boundary protection
US20220182396A1 (en) Method and system to handle files in antivirus actions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant